Skip to main content
GDPR Article 28

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Cresva, Inc. ("Processor") and the customer ("Controller") for the provision of the Cresva Service. It governs how we process personal data on your behalf.

Last updated: February 6, 2026

Legal name: Cresva, Inc. • DPA inquiries: hello@cresva.ai

For Enterprise & Agency Customers

This DPA applies automatically to all customers on paid plans. It covers GDPR, UK GDPR, and CCPA requirements. You can request a countersigned copy or a custom DPA for enterprise needs.

Request a Countersigned DPA →

Table of Contents

1. Overview & scope

This DPA applies to the processing of personal data by Cresva on behalf of the Controller in connection with the provision of the Cresva Service. It supplements the Terms of Service and is incorporated by reference.

This DPA covers:

  • Processing of customer marketing data from connected ad platforms
  • Processing of end-user personal data through the Service
  • GDPR (EU), UK GDPR, and CCPA/CPRA compliance obligations
  • Standard Contractual Clauses (Annex) for international transfers

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

2. Definitions

"Controller"

The customer entity that determines the purposes and means of processing personal data through the Cresva Service.

"Processor"

Cresva, Inc., which processes personal data on behalf of the Controller to provide the Service.

"Personal Data"

Any information relating to an identified or identifiable natural person, as defined by applicable data protection law.

"Subprocessor"

A third party engaged by the Processor to process personal data on behalf of the Controller.

"Data Breach"

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

"SCCs"

Standard Contractual Clauses approved by the European Commission (2021/914) for the transfer of personal data to third countries.

3. Roles & responsibilities

Controller Responsibilities (Customer)

  • Determine the lawful basis for processing
  • Provide clear and documented processing instructions
  • Ensure data subjects are properly informed
  • Respond to data subject requests (with Processor assistance)

Processor Responsibilities (Cresva)

  • Process data only on documented instructions from the Controller
  • Implement appropriate technical and organizational measures
  • Assist the Controller with data subject rights requests
  • Notify Controller of data breaches without undue delay
  • Ensure confidentiality obligations on all personnel

4. Processing details

The following details the processing activities performed under this DPA:

Subject Matter

Provision of marketing analytics, AI insights, and forecasting services

Duration

For the duration of the service agreement plus retention period

Nature & Purpose

Collection, storage, analysis, and visualization of marketing performance data

Types of Data

Campaign metrics, ad performance, OAuth tokens, usage analytics

Data Subjects

Controller's employees, team members, and end users of the Service

Special Categories

None. We do not process special category data under this DPA.

5. Processor obligations

As Processor, Cresva commits to the following obligations under Article 28 GDPR:

Documented instructions

Process data only on the Controller's documented instructions, including with respect to transfers

Confidentiality

Ensure all authorized personnel have committed to confidentiality or are under an appropriate statutory obligation

Security measures

Implement all measures required by Article 32 GDPR (see Section 6)

Subprocessor management

Engage subprocessors only with prior authorization and binding DPAs (see Section 7)

Assistance with obligations

Assist the Controller with DSARs, DPIAs, and compliance with Articles 32–36 GDPR

Audit rights

Make available all information necessary to demonstrate compliance; allow and contribute to audits

6. Security measures

In accordance with Article 32 GDPR, we implement the following technical and organizational measures:

Encryption

TLS 1.2+ in transit, AES-256 at rest

Access Control

RBAC, MFA, least-privilege principle

Infrastructure

SOC 2 compliant hosting (Vercel, AWS/GCP)

Monitoring

24/7 intrusion detection, automated alerts

Backups

Encrypted, automated, with tested recovery

Personnel

Security training, NDAs, background checks

7. Subprocessors

The Controller provides general written authorization for the Processor to engage subprocessors. The current list of subprocessors:

  • Vercel, Inc. - Hosting & CDN (US)
  • Amazon Web Services / Google Cloud Platform - Cloud infrastructure (US)
  • Stripe, Inc. - Payment processing (US)
  • OpenAI / Anthropic - AI processing (US, with DPAs)
  • PostHog - Product analytics (US/EU)
  • SendGrid / Resend - Email delivery (US)

New subprocessors: We will notify the Controller at least 30 days before engaging a new subprocessor, providing the Controller with the opportunity to object. If no objection is raised within 14 days, consent is deemed given.

8. International transfers

Personal data may be transferred to the United States where Cresva operates. We ensure adequate protection through:

Standard Contractual Clauses

EU Commission-approved SCCs (2021/914) are incorporated into this DPA as an Annex. Module Two (Controller to Processor) applies.

UK International Data Transfer Addendum

For UK GDPR, the UK IDTA is incorporated alongside the SCCs.

Supplementary Measures

Encryption, pseudonymization, access controls, and Transfer Impact Assessments as recommended by the EDPB.

9. Breach notification

Breach Notification Timeline

  • Within 48 hours: Processor notifies Controller of becoming aware of a Data Breach
  • Notification includes: Nature of breach, categories of data, approximate number of data subjects, likely consequences, and measures taken
  • Ongoing cooperation: Processor shall cooperate with Controller and take reasonable steps to mitigate the breach

10. Data subject requests

Cresva will assist the Controller in fulfilling its obligations to respond to data subject requests (DSARs) under applicable data protection law:

  • If we receive a DSAR directly, we will promptly redirect it to the Controller
  • We will provide technical assistance to fulfill access, rectification, erasure, portability, and restriction requests
  • We provide data export functionality within the Service for portability requests
  • Response assistance will be provided within 10 business days of the Controller's request

11. Data return & deletion

Upon termination of the service agreement or at the Controller's written request:

At termination:

  • Data export: Controller may export their data within 30 days of termination
  • Deletion: All personal data deleted within 30 days after termination (or export period, whichever is later)
  • Backups: Purged from backup systems within 90 days
  • Certification: Written confirmation of deletion available upon request

Exception: Data required by law to be retained (e.g., billing records for tax compliance) will be retained for the legally mandated period and then securely deleted.

12. How to execute a DPA

Need a signed DPA?

This DPA applies automatically to all paid plans. For a countersigned copy, custom amendments, or enterprise DPAs, contact us.

Email: hello@cresva.ai (subject: "DPA Request")

Company: Cresva, Inc.

Turnaround: Countersigned DPA within 5 business days

Related documents: Privacy PolicyGDPR ComplianceTerms of Service